RE: CA-SSL in IIS

From: Lance Wolrab DNET (LWolrab_at_deltanet.net)
Date: 07/15/03

Next message: Benjamin Meade: "RE: CA-SSL in IIS"

Previous message: CORREIA, PATRICK: "RE: CA-SSL in IIS"
Maybe in reply to: Benjamin Meade: "CA-SSL in IIS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'Benjamin Meade' <ben@lanwest.com.au>, focus-ms@securityfocus.com
Date: Tue, 15 Jul 2003 09:55:17 -0700

It all depends on what you intend to do with your Certificate Authority
(CA). I have set up a self-signed CA with both Microsoft and Netscape
products, and administration of the CA can become a full time task if you
support a large number of webservers or if you choose to use certificates
for more than just webserver SSL. Certificate services covers a LOT more
than webserver SSL. If the desire is simply to run SSL on a webserver, no
CA is required at all. Just generate the key pair and run SSL. It will
work just like any other SSL webserver, however, there will be no trusted
authority at the certificate's root. This means anyone connecting to the
server will receive an error message and MAC users may not be able to
connect at all since the error often precludes them from completing a
connection with an untrusted authority.

Setting up your own CA brings its own set of decisions. Do you want to be
an intermediate CA and use someone else's root certificate to provide the
automatic, built-in, seamless connection for users who are not SSL savvy?
Do you want to distribute your self-signed root certificate to your
enterprise for internal applications to avoid the cost of a third party
solution (I did this)? Are you prepared to support the fault-tolerance and
redundancy requirements of being your own CA? Will you support Microsoft
products exclusively, or do you see a need to support Apache or Sun One
servers? If you do, Microsoft's built-in CA will not provide you a total
solution and you need to decide if you want to have two CAs that trust each
other in some fashion to support the other platforms. As you can see, there
are a lot of decisions to make at the outset and much like designing an
Active Directory, you can paint yourself in a corner pretty quickly if you
fail to address the important issues.

Lance Wolrab

-----Original Message-----
From: Ed Sunder [mailto:edsunder@threehd.com]
Sent: Tuesday, July 15, 2003 7:50 AM
To: focus-ms@securityfocus.com
Subject: RE: CA-SSL in IIS

What drawbacks are there in becoming your own certificate service?
Versus one of the major SSL services? Other than that the source of the
certificate (if the user looked it up) would not be a commercially known
provider and you couldn't participate in any of the major provider's
ever so valuable certificate programs.

Ed Sunder
Three HD

>You can easily do it using the Microsoft CA service. There
>is plenty of documentation around on the subject.
>
>In short, you setup the CA service, browse to the web
>interface and submit your CSR. Then logon to the service
>as a user with relevant permissions, approve the request,
>et voila, collect your certificate from the web interface.
>
>Regards
>Lee
>--
>Lee Evans
>Vital Online Ltd
>
>> -----Original Message-----
>> From: Benjamin Meade [mailto:ben@lanwest.com.au]
>> Sent: 15 July 2003 09:14
>> To: focus-ms@securityfocus.com
>> Subject: CA-SSL in IIS
>>
>>
>>
>> Hi all,
>>
>> I am looking into installing and SSL certificate into IIS to
>> allow encrypted connections. Rather than pay out a few
>> hundred dollars a year for a SSL cert, I would rather
>> generate it myself.
>>
>> Can I use the CA server in Win2K server for this? Or do I
>> need OpenSSL or something to generate the certificate?
>>
>> Thanks,
>>
>> Benjamin Meade
>> System Administrator
>> LanWest Pty Ltd
>> Ph: (08) 9440 3033
>> Fax: (08) 9440 3370
>>
>>
>> --------------------------------------------------------------
>> ---------------
>> --------------------------------------------------------------
>> ----------------
>>
>>
>
>
>-----------------------------------------------------------------------
------
>-----------------------------------------------------------------------
-------

----------------------------------------------------------------------------
-
----------------------------------------------------------------------------

--
-----------------------------------------------------------------------------
------------------------------------------------------------------------------

Next message: Benjamin Meade: "RE: CA-SSL in IIS"

Previous message: CORREIA, PATRICK: "RE: CA-SSL in IIS"
Maybe in reply to: Benjamin Meade: "CA-SSL in IIS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Proposal for a new PKI model (At least I hope its new)
... > Then the world would have no problem trusting your domain level PKI ... coined the term "certificate manufacturing" to distinquish from actual ... it turns out that one of the reasons for the SSL server domain name ...
(sci.crypt)
Re: IE6 ignoring HOSTS entries for HTTP
... I should have also mentioned that when I remove 'webserver' entry from ... I have written is because the SSL certificates' common name had to ... install the self-generated and signed certificate as trusted and not ...
(microsoft.public.windowsxp.network_web)
Re: New Method for Authenticated Public Key Exchange without Digital Certificates
... one of the motivating factors for the SSL domain name server ... server certificate, ... Was: PKI International Consortium ...
(sci.crypt)
Re: Is that secure :

... for that URL (via checking for a valid domain name certificate and the ... when they discovered that using SSL cut their thruput/performance ... The scenario about the website that you thought you were ... "payment" URL (for some website that the attackers were able to obtain ...
(comp.security.misc)
Re: MOD_SSL and MOD_AUTH_OPENVMS
... ## for proper server startup. ... ## SSL Support ... # List the ciphers that the client is permitted to negotiate. ... # Point SSLCertificateFile at a PEM encoded certificate. ...
(comp.os.vms)